Malware Analysis Report

2024-09-11 08:40

Sample ID 240612-gsytxssepa
Target 230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe
SHA256 71a51332a8ea004e1c232d78b260e1ed17cc758255a5ee131aef12049a80da68
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71a51332a8ea004e1c232d78b260e1ed17cc758255a5ee131aef12049a80da68

Threat Level: Known bad

The file 230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 06:04

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 06:04

Reported

2024-06-12 06:07

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1148 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1148 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3664 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3664 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3664 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 571ef3f20a7e4eb4071c1ef5a761fc59
SHA1 91e5e12ce1c01e84692d51e5bc9839cba139fccb
SHA256 73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910
SHA512 0ecfca4fe110757ce1bfe8947dae854c6a8bf2ad07c4031cdb7c4f02c4e731bf7d321bf5db73f143fca87d27baafd82acb6612eddf3947e289e6d6c21c3bd80b

C:\Windows\SysWOW64\omsecor.exe

MD5 9d8ff759f2ed0607541ff7180bde2299
SHA1 5f66a890378a3d4e6265fe8c070904985c015bc9
SHA256 d9e23e74e79f6858b5119a92d1ca7eebc47b3285fa3d3761569aef83547c9ae9
SHA512 91a9ac51b8e438a38caa9ab1442e28d04279244bc1191787e18983d1bcd0758990f1ef0a6f58503d53d88ae0c2d8a3898a0f916d9338c214d88c756d8921cfde

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 06:04

Reported

2024-06-12 06:07

Platform

win7-20231129-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2916 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2916 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2916 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2916 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\230bf9976b5734b13b93eefa1849b8e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 571ef3f20a7e4eb4071c1ef5a761fc59
SHA1 91e5e12ce1c01e84692d51e5bc9839cba139fccb
SHA256 73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910
SHA512 0ecfca4fe110757ce1bfe8947dae854c6a8bf2ad07c4031cdb7c4f02c4e731bf7d321bf5db73f143fca87d27baafd82acb6612eddf3947e289e6d6c21c3bd80b

\Windows\SysWOW64\omsecor.exe

MD5 f3cc2db076d1d800db9a08d546072285
SHA1 7607e208d664ebb59dd650c0bef73bc11cb8fe46
SHA256 e85deacad0faa920dd06f1b633a58ad6fa3ac9ba894c07cf30bf388f325f2779
SHA512 e7308d4c02551ad7d43b8a4818cc0be1f740b7f7bbe904361a39634c3251e3b365c2b1bcf34e85e89c233b79acb20660a66d5bc2106d9a005a36e70ca64dc188

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 711931d3a250e1bf628509f451066452
SHA1 7a5f9e85ad99adb84cc395c6dcbd335c4431311b
SHA256 707fe8b9b6f7028c164e6690e8f7d1f55dd644b19e8d4593a03294c5c419995a
SHA512 604628834e1f1b60f35d7633f33a9cad22b80512479c073559f7270b09ccc3216c9ae73ac079e4fc9d09569ad6d47645c193d240f5c4473478d5cce3a90ed0a0